Upgrading to Elasticsearch
5.6.2

Hortonworks Cybersecurity Platform (HCP) has deprecated support for Elasticsearch 2.x.
You must upgrade to Elasticsearch 5.x to HCP queries in the current release. In addition to
upgrading to Elasticsearch 5.x, you must also update Elasticsearch type mappings, templates,
and existing sensors.

Elasticsearch 5.x requires that all sensor templates include a nested alert field
definition. Without this field, an error is thrown during all searches resulting in no
alerts being found. This error is found in the REST service's
logs: